I see that many topics here are related to securing data, equipment at an enterprise level. Good advice includes stuff like blocking all unused ports, allowing only whitelisted traffic and installing firewalls, IPS and such.

However, many of these steps are inapplicable on a personal computer level. Normal users cannot be expected to have good hardware based firewalls, IPS and other expensive equipment. Allowing only whitelisted traffic isn't also very manageable, considering the amount of applications using different ports, connecting to different IPs a personal computer has.

What are some of the more useful steps a more security-savvy person could take to better protect his/her personal computer, besides the common advice such as installing an anti-virus, not visiting suspicious sites or downloading suspicious attachments from emails.

Answers for both Windows and common Linux distributions would be great.

Note: Some help retagging the question would be great, I cannot think of an appropriate tag for this question.

1 Answer
1

There are all sorts of ways that home users can keep their data and / or identities secure while still having a usable computer. Below are a few of the most common ways the average Joe can secure his machine:

Choosing a strong passphrase

Yes, we've all heard it time and time again, but there is probably no easier way to improve your security. If you're a fan of passwords, make sure to choose something that contains enough entropy to be reasonably secure, while still being easy to memorize. A random series of letters and numbers is great, but you probably won't be able to memorize a very long string of them. Anything that includes personal information should also be avoided. Mixing your name with your birthdate is not secure, no matter how long and random it might look.

Personally, I'm a fan of pass phrases. Pick a few random words from a dictionary (I choose somewhere between 5 and 10 depending on the required ammount of entropy), and you've probably generated enough entropy to keep an attacker guessing for much longer than will be practical (see the XKCD on the topic for a laugh).

Other people prefer to use pass-sentences. While these may be longer than your typical passphrase, they may or may not be anymore secure.

Encrypting your data

There are plenty of great options for full-disk encryption on both Linux and Windows. Remember, encryption is only as strong as the password you choose (see above).

Windows

TrueCrypt is a fantastic piece of software for full disk encryption on Windows machines. It's transparent, easy to use, and provides a nice little interface for mounting / unmounting your various drives, USB keys, etc. and for creating hidden disk images that can give you plausible deniability when taking encrypted data into / outof countries that don't like encryption. The down side is that you'll need to have it installed on any computer on which you want to mount your drives.

Windows also has built in File System Level encryption, but I've had some issues with it randomly deleting my private key in the past (make sure to have a backup, possibly on a TrueCrypt encrypted volume), so I don't often recommend it.

Linux

Most linux distros come bundled with an encryption subsystem called dm-crypt, often hiding behind a nice key management interface called LUKS. You might also find loop-aes useful, but it sounds more likely that you'd want to use the (often) built in system. For more info you'll have to look at your specific distro's help pages.

Securing your network

You may not have a fancy hardware firewall, but properly configuring the firewall on your router, and the one built into Windows / Linux can go a long way towards keeping your network secure. I know nothing about Windows Firewall, so I'm afraid I can't recommend anything here, but a quick Google Search turned up several articles that appeared to be good guides to configuring it.

Use a supported operating system

If you are running Windows XP or earlier, make sure you update to a later operating system, preferably the most recent stable release. Windows XP is now end of life and no longer patched. Windows XP and older systems are becoming increasingly vulnerable because attackers keep finding new vulnerabilities, and nothing is being done to prevent them on these older operating systems.

Don't automatically run programs

Most systems now are configured not to automatically run programs when you stick in a CD or USB key, but some older (unpatched) versions of Windows might not be. If you are running Windows XP, and are not willing to upgrade, at least make sure the last available patches are applied.

Install security related updates

Actually, if you're running anything make sure you've got the latest security updates. Simply turning on Automatic Updating in Windows, or making sure to run updates often in Linux can go a long way towards keeping you safe.

Use SSL / secure wifi

Make sure you're not sending your password over a plaintext connection. Even the least tech-savvy user can check for the little green lock icon ane make sure the site they're logging into says "https" in the nav bar. It may not protect you from much, but at least it will prevent the guy sitting next to you in the coffeeshop from snooping out your password.

On that same note, secure your wifi networks with WPA (and choose a good password... again, see above), and try not to connect via unsecured wireless networks (including those that use WEP).

SSH

If you're using SSH to access your computer remotely, make sure to turn it off for the root account, and always use public key authentication. This is a bit more advanced topic (and probably only applicable to Linux, or not at all for the average home user), but still worth talking about. Other things you can do include disabling protocol 1, allowing only certain users to login remotely, and disabling X-forwarding (depending on your requirements). For more info, see this article on the CentOS wiki.

Conclusion

While most of these techniques are widely known, or may seem laughably simple, you'd be supprised how many people don't follow them and how many attackers can be detered by a little common sense, and basic security policies.